Moin! On 22 Dec 2015, at 23:39, George Michaelson wrote:
> I want to dispute one part of this: the "DNSSEC may not scale well" part. > With thanks to Ray Bellis, APNIC has been running an evldns webserver which > signs on the fly, and we have achieved north of 3000 signs/second from this > code on a smallish cloud node signing on demand. While I think that online signing is feasible there always is a cost/benfit ratio. This may be different when you do paid forward zones or when you have to provide the reverse service for free with your already low margin internet service. > Our model was unique domains (the 1x1 ad system) but Ray coded a simple > ring buffer and for the repeat queries, there was a demonstrable cache > benefit to keeping some amount of signed state live without having to > re-sign. Caching helps. When Nominum did that feature a couple of years ago we did measure above 10k queries or signs/second non cached and above 100k qps when using the cache. However in an attack scenario you almost certain have to answer without the cache and the qps numbers are easily in the millions of quries per second. Now non DNSSEC you easily can answer 150k qps or more, so that is quite a huge factor to consider when scaling your infrastructure. > I think that on-the-fly DNSSEC for IPv6 is tractable. I'm sure it can be done. It just might not be feasible, which why I think the statement in the draft that it may not scale as well as non DNSSEC is valid in that scenario. So long -Ralf _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
